I. Background

Odoo includes an optional "Database Anonymization" module that can be
used by administrators to perform a one-shot reversible anonymization
of their database contents. This is typically used to remove all
identifiable names and details from the address book and all documents
in an Odoo database, prior to sending it to Odoo's upgrade systems.
The operation can be reversed later once the database upgrade is
completed.

II. Problem Description

The serialization system used to store the local data to reverse the
anonymization procedure relies on the "pickle" object serialization
algorithm.
The pickle module of Python is not secure against erroneous or
maliciously constructed data, and in its default configuration, could be
exploited to execute arbitrary Python code.

III. Impact

Malicious users with access to an administrator account on an Odoo
database could craft a malicious anonymization data file, and use it to
execute arbitrary Python code.

This would allow them to execute commands with the system privileges of
the Odoo service, possibly accessing local files, local services, etc.

Systems who host Odoo databases for untrusted users are particularly at
risk, (e.g. SaaS platforms), as they typically allow users to become
administrators of their own Odoo database. This is sufficient to exploit
the vulnerability.

Odoo S.A. is not aware of any malicious use if this vulnerability.

IV. Workaround

Administrators of Odoo deployments where untrusted users are allowed to
manage their own Odoo databases (SaaS-like) can make the Database
Anonymization module unavailable by deleting its folder ("anonymization")
from the "addons_path" directory, and restarting the Odoo relevant service.

Odoo Online servers have been patched as soon as the correction was
available.

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

patch -p0 -f < /path/to/the_patch_file.patch

This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.

VI. Correction details

The following list contains the revisions after which the vulnerability
is corrected: